Saturday, June 6, 2009

How to install Scalr on Ubuntu 8.10 EC2 Instance

Presentation:


If Amazon EC2 doesn't ring a bell to you, chances are that you are looking at the wrong page to find solutions for your problems. EC2 stands for Elastic Compute Cloud and it's a service offered by Amazon. I will not enter in details about the advantages of using it, since this is not the scope of this post. You can read more about it here: http://aws.amazon.com/ec2/

Scalr is a fully redundant, self-curing and self-scaling hosting environment utilizing Amazon's EC2. You basically can build farms of Amazon's instances that can do load balancing using nginx, serve web pages using Apache 2, use MySQL master-slave servers or maybe you may want to define your own roles.

The beauty of this is that you don't have to monitor the health of your server infrastructure, scalr will do it for you. If a node type gets overloaded scalr will launch another instance to spread the load and the cluster will be reconfigured.

Preparing:

Generate a new key for scalr instance:
ec2-add-keypair scalr-keypair > id_rsa-scalr-keypair
Edit id_rsa-scalr-keypair so it begins with
-----BEGIN RSA PRIVATE KEY-----
and is terminated with
-----END RSA PRIVATE KEY-----
Make sure you have the correct permissions for this key:

#chmod 600 id_rsa-scalr-keypair

If everything went ok you should see your new key when executing

>ec2-describe-keypairs


Choosing the right AMI:

For the instance we will be using ami-7806e211 which is an AMI containing a base install of Ubuntu 8.10 Intrepid Ibex Release. More details here.

Start the instance:

ec2-run-instances -z us-east-1a -k scalr-keypair ami-7806e211
You will get some output, look for the line that begins with INSTANCE and write down somewhere the id of the instance (i-XXXXXXXX) and the address of the instance(ec2-XX-XX-XX-XX.compute-1.amazonaws.com). The status of your instance should be pending.

Check in a couple of minutes the status of your instance:
>ec2-describe-instances i-XXXXXXXX

When the status is running it means that your instance is ready for work. You should have at least ssh and web ports open(22 and 80). If you are not sure execute the following commands:

ec2-authorize default -p 22
ec2-authorize default -p 80



Now connect to your instance using ssh:
ssh -i id_rsa-scalr-keypair -v ec2-XX-XX-XX-XX.compute-1.amazonaws.com
First time you connect you will be asked if
Are you sure you want to continue connecting (yes/no)?
Type yes and you should be the happy owner of a fresh Ubuntu Intrepid Ibex instance.

Update your system now:

#apt-get update
#apt-get upgrade


After the update is completed, logout and reboot your instance:
>ec2-reboot-instances i-XXXXXXXX

Installing required software:

Reconnect to your instance and install MySQL server and php extensions:
#apt-get install bind9 mysql-server mysql-client apache2 php5-cli libapache2-mod-php5 php5-mysql php5-mcrypt php5-mhash

When you install MySQL server you will be prompted to setup a password for the root account. Don't forget it, you will need it. Also you will have to restart Apache2 server after you finish installing everything, like this:

#/etc/init.d/apache2 restart

You could also download their php script that checks if your system has all the prerequisites:
#wget http://scalr.googlecode.com/files/testenvironment.php
#mv testenvironment.php /var/www/
#chmod a+r /var/www/testenvironment.php

Now point your browser to http://ec2-XX-XX-XX-XX.compute-1.amazonaws.com/checkenvironment.php and see if everything it's ok.

Most likely you will get only these 2 errors:
Errors:
• Cannot find SSH2 functions. Make sure that SSH2 Functions enabled.
• Cannot find SNMP functions. Make sure that SNMP Functions enabled.
Here is how to quick fix it:

Adding SSH2 support to PHP5, better known as: why don't we have php5-ssh2?
#apt-get install php5-dev php-pear libssh2-1 libssh2-1-dev
Thought it will be easy? Not so quick. Try to install it with:
#pecl install ssh2 "channel://pecl.php.net/ssh2-0.10"
I got an error saying:
ERROR: `make' failed
Great! Let's fix that stupid error. Edit the file /tmp/pear/download/ssh2-0.10/ssh2.c and replace the line containing:

#if LIBSSH2_APINO <>
with
#if false


(Delete the if statement stating with if LIBSSH2_APINO <>


Go to directory /tmp/pear/download/ssh2-0.10/ and compile the stuff manually:
#make && make install
#echo extension=ssh2.so >> /etc/php5/apache2/php.ini


I don't get it why they don't fix this thing. A lot of people are having this problem and are complaining!

Luckily for you and me snmp is a breeze, it is already in repositories:
#apt-get install php5-snmp

Restart apache server and check now if you have all the required extensions for scalr. You should have them.

Getting the latest version of Scalr:

At the time of writing this article latest version was 1.0 RC2
Go to Scalr download page and copy the link to the latest release. Download it using wget:
#wget http://scalr.googlecode.com/files/scalr-1.0RC2.tar.gz
Extract it:
#tar zxvf scalr-1.0RC2.tar.gz

Create database for scalr and import the sql:
#mysqladmin -p create scalr
#mysql -p scalr <>


Put the scalr application in /var/scalr and change permissions as suggested in the spartan documentation of scalr:
#mkdir /var/scalr && cp -R scalr/* /var/scalr/
#chmod 777 -R /var/scalr/app/cache /var/scalr/app/cron/cron.pid /var/scalr/app/etc/.passwd

ATTENTION: I'm not planing on using this instance for anything else except scalr. Also this is a clean install so I don't have anything of interest in /var/www. Read carefully the following first line:

#rm -rf /var/www/
#ln -sf /var/scalr/app/www /var/
#chmod a+rX -R /var/www


Edit the file /var/scalr/app/etc/config.ini and update it to your values:

[db]
driver=mysql ;Actually mysql is the only option here - mysqli doesn't support nconnect(), which is essential for PCNTL (which is essential for crobjobs)
host = "localhost"
name = "scalr"
user = "root"
pass = "*YOUR MYSQL PASS HERE*"


TO DO: make a mysql user for scalr.

Put your EC2 access certificate into /var/scalr/app/etc/cert-XXXXXXXXXXXX.pem
Put your EC2 private key into /var/scalr/app/etc/pk-XXXXXXXXXXXX.pem
ATTENTION: This part is a bit tricky. If you don't put the right settings you will not be able to start instances. I warned you!

Login to Amazon AWS and go to Home->Your Account->Access Identifiers
Go to http://ec2-XX-XX-XX-XX.compute-1.amazonaws.com/ and login with admin/admin
Go to Settings->Core Settings. Modify the following fields:
Password: duh!!! change it!
Email: your email address here
Account ID: AWS Account Number, it's called Account Number in AWS and it's top right. Remove the '-' from the number
Key Name:Scroll down in AWS untill you see Your X.509 Certificate: Copy everything between 'cert-' and '.pem'. Also XXXXXXXXXXXXXX is the string in the filenames of cert-XXXXXXXXXXXXX.pem and pk-XXXXXXXXXXX.pem. If they don't match you will have problems.
Access Key:Look for Your Secret Access Key: in AWS and click on Show. Copy the string.
Access key ID: is Your Access Key ID: in AWS.

Hit save.

setting crontab:


Type crontab -e and add the following lines to cron:
* * * * * /usr/bin/php -q /var/scalr/app/cron/cron.php --Poller
1 1 * * * /usr/bin/php -q /var/scalr/app/cron/cron.php --RotateLogs
*/15 * * * * /usr/bin/php -q /var/scalr/app/cron/cron.php --MySQLMaintenance
*/6 * * * * /usr/bin/php -q /var/scalr/app/cron/cron.php --DNSMaintenance
*/3 * * * * /usr/bin/php -q /var/scalr/app/cron/cron.php --DNSZoneListUpdate
*/2 * * * * /usr/bin/php -q /var/scalr/app/cron/cron.php --DBQueueEvent
*/11 * * * * /usr/bin/php -q /var/scalr/app/cron/cron.php --Cleaner

You are done. I hope.

How to terminate the instance:

I thought to write down instructions on how to terminate an instance. You should know how, but just in case, here it is how to stop the instance forever and not pay for it anymore. ATTENTION: terminate will really delete the instance so there is no way you can reconnect to it or recover it. Double check what instance you terminate!
ec2-terminate-instances i-XXXXXXXX

Wednesday, June 3, 2009

SAMBA Notes

SAMBA

Samba Client Commands:

IN WINDOWS:

Delete the current session with the windows machine(asking the password again for a samba share)
# net use \\centos\ipc$ /delete (delete the current sessions)
# net use (shows the current session)

Mapping a Drive using a specific user name
```````````````````````````````````````````````````````````````````
C:\Documents and Settings\krn>net use * \\centos\privilage /user:kiran
The password is invalid for \\centos\privilage.

Enter the password for 'kiran' to connect to 'centos':
Drive Z: is now connected to \\centos\privilage.

The command completed successfully.

To delete the mapped Drive
`````````````````````````````````````````````````````````````````````
C:\Documents and Settings\krn>net use z: /delete
z: was deleted successfully.
`````````````````````````````````````````````````````````````````````
# net view (shows the workgroup computers in windows)

IN LINUX:

smbmount:
# mount -t smbfs -ousername=krn,fmask=777,dmask=755 //kiran/sOftwares/ /mnt
# mount -t smbfs -ousername=krn //kiran/sOftwares/ /mnt
# mount -t smbfs -ocredentials=/home/samba-credential-file.txt //kiran/sOftwares/ /mnt

module smbfs needs to be compiled with the kernel

smbtar:
backup the directory "dell" from share "sOftwares " from windows host "kiran" with credentials krn & Matha***

# smbtar -s kiran -u krn -t test.tar -p Mathapoo -v -x sOftwares dell

smbget:
# smbget -u kiran -p Mathapoo smb://kiran/sOftwares/putty.exe

smbclient:
# smbclient -A samba_credentials //kiran/sOftwares
# smbclient -U kiran //kiran/sOftwares

Remote Desktop
# rdesktop -g 700x500 -a 16 192.168.1.1

NETSTAT:
# netstat -ntlp |grep :631
Finding a port that engaed with a service



STAT: To check the configutation file access by a Deamon
# stat smb.conf

/etc/samba/smbuser:
:
This translates the users submitted by the windows machine to users in UNIX machine
eg:- root = administrator admin
nobody = guest pcguest smbguest
Samba server can refer the users in this file to the user name submitted by windows machinexternal machine.
(If guest is attempted to connect from windows it translates to nobody)

SAMBA Security Modes:
1. SHARE - Security Level on SHARE
2. USER- Securit Level Based on Users(Old method)
a. User-level (/etc/passwd, /etc/shadow & /etc/samba/smbpasswd (back-end))
1. Multiple Back ends for user level security
a. smbpasswd
b. tdbsam
c. LDAP
d.MySQL
Note:-
(How User-level mode works?
Client makes request to samba - > samba consults back ends for credentials and grants permission )

3. SERVER - Pass-thru
4. DOMAIN - Member Server (making a member of domain (passing the request to a configued Domain))
5. ADS - Kerberos realm (making as PDC)




samba configuration settings:

smb.conf file:
Two secssions:
1. Global secssion
2. shared secssion


1. Global secssion (how the samba server appears in the network and whom to trust)
workgroup = sets the workgroup(forces the machine to be in this perticular workgroup)
server string = the machine name appear while brows the machine
name resolve order = The order of the name resolution done (wins hosts lmhosts bcast)
Notes:
Samba Name Resolution for all the samba client service is done through the following steps respectively:-

First it consults
1. /etc/hosts; if the host name is not able to resolve it check the ----
2. /etc/samba/lmhosts ; if not able to resolve then consults the ----
3. WINS - one or more IP Addresses
4. Broadcast Address (192.168.1.255) = reffered in the smb.conf using derivative "bcast"

WINS config:(making the samba server as a WINS server/client)
wins support = (making the samba server as WINS server)
wins server = w.x.y.z (the wins server address that this samba server has to bind to)

security = (defines the type of security that samba server accepts while accessing the share)
security = user (samba uses /etc/passwd for authentication while accessing the share; users home directories will be shared for the respective users)
security = share (samba doesnt uses the /etc/passwd file for authentication & doent prompts for password; if public = yes given. if public = no is given it refers for the users defined in the share. The users home directory will not be exported )

PRINTER Configuration:
printcap name = /etc/printcap (automatically cups will update the details to this file and the samba reads from this file the printer information and servers)
cups options = raw (reformate the print job submitted by the client to actual server format)

NETBIOS Alias in SAMBA:
netbios aliases = jithu (add this parameter to [global] session this will add a new netbios name to an existing server,Adding multipile name to a SAMBA server.If a old server has decommissioned and need to preserve the old netbios name)

2. shared secssion(can deffine the shares & permissions here)
public = yes (this derivative makes the share available for everyone)
invalid users = kiran (The user (kiran) will not be able to access this perticular share)

Find Out If PCI Hardware Supported or Not In The Current Running Kernel


A typical question from my mailbag:

How do I find out if a given PCI hardware is supported of by the current CentOS / Debian / RHEL / Fedora Linux kernel?

You can easily find out find out if a given piece of PCI hardware such as RAID, network, sound, graphics card is supported or not by the current Linux kernel using the following utilities under any Linux distributions.

Required Tools

  1. /lib/modules/$(uname -r)/modules.pcimap : This file is automatically generated by depmod, and used by pcimodules command to determine which modules correspond to which PCI ID's. You need to use this file to find out if driver is supported or not.
  2. lspci command - list and query all PCI devices connected to the system.

Use lspci Command To List All PCI Devices

Will an Intel Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller Card be taken care of by a Linux kernel 2.6.27-11-server?
$ lspci
$ lspci | grep -i audio

Sample Output:

00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)

Note down the identifier in first field i.e. 00:1b.0. Now use lspci -n as follows to get result for device 00:1b.0.
$ lspci -n | grep 00:1b.0
Sample Output:

00:1b.0 0403: 8086:27d8 (rev 01)

Where,

  • 00:1b.0 - Device
  • 8086 - constructor code for Intel Corporation
  • 27d8 - The model id.

Use the model id to search driver, as follows:
$ grep 27d8 /lib/modules/$(uname -r)/modules.pcimap
Sample Output:

snd-hda-intel        0x00008086 0x000027d8 0xffffffff 0xffffffff 0x00000000 0x00000000 0x0

snd-hda-intel is kernel driver handling PCI audio device. You can get more information about this driver by typing the following:
$ modinfo snd-hda-intel
$ modinfo snd-hda-intel| egrep 'description|filename|depends'

Sample Output:

filename:       /lib/modules/2.6.27-11-server/kernel/sound/pci/hda/snd-hda-intel.ko
description: Intel HDA driver
depends: snd-pcm,snd-page-alloc,snd

Another example - Will an Adaptec AAC-RAID SCSI SA Card work with Linux kernel v2.6.18-128.1.10.el5 (CentOS / RHEL 5 kernel)?

Type the following commands:
$ lspci | grep -i RAID
Output:

07:0e.0 RAID bus controller: Adaptec AAC-RAID

Get device id:
$ lspci -n | grep '07:0e.0'
Output:

07:0e.0 0104: 9005:0285

Search for device id to driver mapping:
$ grep 0285 /lib/modules/$(uname -r)/modules.pcimap
Output:

aacraid              0x00009005 0x00000285 0x00009005 0x00000286 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000285 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000287 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x000017aa 0x00000286 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x000017aa 0x00000287 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000288 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000289 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x0000028a 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x0000028b 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x000002a4 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x000002a5 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x0000028e 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x0000028f 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000290 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00001028 0x00000291 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000292 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000293 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000294 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x0000103c 0x00003227 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000296 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000297 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00001014 0x000002f2 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00001014 0x00000312 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000298 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x00000299 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00009005 0x0000029a 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00001028 0x00000287 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x00001028 0xffffffff 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0x000017aa 0xffffffff 0x00000000 0x00000000 0x0
aacraid 0x00009005 0x00000285 0xffffffff 0xffffffff 0x00000000 0x00000000 0x0
ata_piix 0x00008086 0x00002850 0xffffffff 0xffffffff 0x00000000 0x00000000 0x0

Get detailed information about aacraid driver:
$ modinfo aacraid | egrep 'description|filename|depends'
Output:

filename: filename:       /lib/modules/2.6.18-128.1.10.el5/kernel/drivers/scsi/aacraid/aacraid.ko
description: Dell PERC2, 2/Si, 3/Si, 3/Di, Adaptec Advanced Raid Products, HP NetRAID-4M, IBM ServeRAID & ICP SCSI driver
depends: scsi_mod

<3>Task: Show kernel drivers handling each device and also kernel modules capable of handling it

Pass the -k option (works with latest lspci version only):
$ lspci -k
Sample Output:

00:00.0 Host bridge: Intel Corporation 82975X Memory Controller Hub
Kernel modules: i82975x_edac
00:01.0 PCI bridge: Intel Corporation 82975X PCI Express Root Port
Kernel driver in use: pcieport-driver
Kernel modules: shpchp
00:1b.0 Audio device: Intel Corporation 82801G (ICH7 Family) High Definition Audio Controller (rev 01)
Kernel driver in use: HDA Intel
Kernel modules: snd-hda-intel
00:1c.0 PCI bridge: Intel Corporation 82801G (ICH7 Family) PCI Express Port 1 (rev 01)
Kernel driver in use: pcieport-driver
Kernel modules: shpchp
00:1c.4 PCI bridge: Intel Corporation 82801GR/GH/GHM (ICH7 Family) PCI Express Port 5 (rev 01)
Kernel driver in use: pcieport-driver
Kernel modules: shpchp
00:1c.5 PCI bridge: Intel Corporation 82801GR/GH/GHM (ICH7 Family) PCI Express Port 6 (rev 01)
Kernel driver in use: pcieport-driver
Kernel modules: shpchp
00:1d.0 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #1 (rev 01)
Kernel driver in use: uhci_hcd
Kernel modules: uhci-hcd
00:1d.1 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #2 (rev 01)
Kernel driver in use: uhci_hcd
Kernel modules: uhci-hcd
00:1d.2 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #3 (rev 01)
Kernel driver in use: uhci_hcd
Kernel modules: uhci-hcd
00:1d.3 USB Controller: Intel Corporation 82801G (ICH7 Family) USB UHCI Controller #4 (rev 01)
Kernel driver in use: uhci_hcd
Kernel modules: uhci-hcd
00:1d.7 USB Controller: Intel Corporation 82801G (ICH7 Family) USB2 EHCI Controller (rev 01)
Kernel driver in use: ehci_hcd
Kernel modules: ehci-hcd
00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev e1)
00:1f.0 ISA bridge: Intel Corporation 82801GB/GR (ICH7 Family) LPC Interface Bridge (rev 01)
Kernel modules: intel-rng, iTCO_wdt
00:1f.1 IDE interface: Intel Corporation 82801G (ICH7 Family) IDE Controller (rev 01)
Kernel driver in use: ata_piix
Kernel modules: ata_piix
00:1f.2 IDE interface: Intel Corporation 82801GB/GR/GH (ICH7 Family) SATA IDE Controller (rev 01)
Kernel driver in use: ata_piix
Kernel modules: ata_piix
00:1f.3 SMBus: Intel Corporation 82801G (ICH7 Family) SMBus Controller (rev 01)
Kernel driver in use: i801_smbus
Kernel modules: i2c-i801
01:00.0 VGA compatible controller: nVidia Corporation Quadro FX 570 (rev a1)
Kernel driver in use: nvidia
Kernel modules: nvidia, nvidiafb
03:00.0 SATA controller: Marvell Technology Group Ltd. 88SE6145 SATA II PCI-E controller (rev a1)
Kernel driver in use: pata_marvell
Kernel modules: ahci, pata_marvell
04:00.0 Ethernet controller: Intel Corporation 82573E Gigabit Ethernet Controller (Copper) (rev 03)
Kernel driver in use: e1000e
Kernel modules: e1000e
04:00.3 Serial controller: Intel Corporation Active Management Technology - SOL (rev 03)
Kernel driver in use: serial
04:00.4 IPMI SMIC interface: Intel Corporation 82573E KCS (Active Management) (rev 03)
05:02.0 Ethernet controller: Marvell Technology Group Ltd. 88w8335 [Libertas] 802.11b/g Wireless (rev 03)
Kernel driver in use: ndiswrapper
05:04.0 FireWire (IEEE 1394): Texas Instruments TSB43AB23 IEEE-1394a-2000 Controller (PHY/Link)
Kernel driver in use: ohci1394
Kernel modules: ohci1394

Task: Lists all driver modules for all currently plugged in PCI devices

Type the pcimodules command (again you need updated pciutils package):
$ pcimodules
Sample Output:

ohci1394
ipmi_si
e1000e
ahci
pata_marvell
nvidia
nvidiafb
i2c-i801
ata_piix
ata_generic
pata_acpi
ata_piix
ata_generic
pata_acpi
intel-rng
iTCO_wdt
ehci-hcd
uhci-hcd
shpchp
snd-hda-intel
shpchp
i82975x_edac

Task: Update pci.ids Database

/usr/share/hwdata/pci.ids file is all known ID's used in PCI devices: ID's of vendors, devices, subsystems and device classes. You can update this database by typing the following command at a shell prompt:
$ update-pciids

SS: Display Linux TCP / UDP Network and Socket Information



The ss command is used to dump socket statistics. It allows showing information similar to netstat command. It can display more TCP and state information than other tools. It is a new, incredibly useful and faster (as compare to netstat) tool for tracking TCP connections and sockets. SS can provide information about:

  • All TCP sockets.
  • All UDP sockets.
  • All established ssh / ftp / http / https connections.
  • All local processes connected to X server.
  • All the tcp sockets in state FIN-WAIT-1 and much more.


Most Linux distributions are shipped with ss and many monitoring tools. Being familiar with this tool helps enhance your understand of what's going on in the system sockets and helps you find the possible causes of a performance problem.

Task: Display Sockets Summary

List currently established, closed, orphaned and waiting TCP sockets, enter:
# ss -s
Sample Output:

Total: 734 (kernel 904)
TCP: 1415 (estab 112, closed 1259, orphaned 11, synrecv 0, timewait 1258/0), ports 566

Transport Total IP IPv6
* 904 - -
RAW 0 0 0
UDP 15 12 3
TCP 156 134 22
INET 171 146 25
FRAG 0 0 0

Task: Display All Open Network Ports

# ss -l
Sample Output:

ss -l
Recv-Q Send-Q Local Address:Port Peer Address:Port
0 0 127.0.0.1:smux *:*
0 0 127.0.0.1:10024 *:*
0 0 127.0.0.1:10025 *:*
0 0 *:3306 *:*
0 0 *:http *:*
0 0 *:4949 *:*
0 0 *:domain *:*
0 0 *:ssh *:*
0 0 *:smtp *:*
0 0 127.0.0.1:rndc *:*
0 0 127.0.0.1:6010 *:*
0 0 *:https *:*
0 0 :::34571 :::*
0 0 :::34572 :::*
0 0 :::34573 :::*
0 0 ::1:rndc :::*

Type the following to see process named using open socket:
# ss -pl
Find out who is responsible for opening socket / port # 4949:
# ss -lp | grep 4949
Sample output:

0      0                            *:4949                          *:*        users:(("munin-node",3772,5))

munin-node (PID # 3772) is responsible for opening port # 4949. You can get more information about this process (like memory used, users, current working directory and so on) visiting /proc/3772 directory:
# cd /proc/3772
# ls -l

Task: Display All TCP Sockets

# ss -t -a

Task: Display All UDP Sockets

# ss -u -a

Task: Display All Established SMTP Connections

# ss -o state established '( dport = :smtp or sport = :smtp )'

Task: Display All Established HTTP Connections

# ss -o state established '( dport = :http or sport = :http )'

Task: Find All Local Processes Connected To X Server

# ss -x src /tmp/.X11-unix/*

Task: List All The Tcp Sockets in State FIN-WAIT-1

List all the TCP sockets in state -FIN-WAIT-1 for our httpd to network 202.54.1/24 and look at their timers:
# ss -o state fin-wait-1 '( sport = :http or sport = :https )' dst 202.54.1/24

Postfix mail server main.cf example

#### main.cf #####
queue_directory = /var/spool/postfix
command_directory = /usr/sbin
daemon_directory = /usr/libexec/postfix
mail_owner = postfix
myhostname = mail.domain.com
mydomain = domain.com
myorigin = $myhostname
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, /etc/postfix/hostnames
local_recipient_maps =
unknown_local_recipient_reject_code = 550
non_fqdn_reject_code = 554
mynetworks = 192.168.1.0/24, 127.0.0.0/8, 192.168.0.0/24
#mynetworks =
relay_domains = $mydestination
alias_maps = hash:/etc/postfix/aliases
alias_database = hash:/etc/aliases
home_mailbox = Maildir/
mail_spool_directory = /var/spool/mail
mailbox_command = /usr/bin/procmail
header_checks = regexp:/etc/postfix/header_checks
smtpd_banner = **************
#local_destination_concurrency_limit = 2
#default_destination_concurrency_limit = 20
debug_peer_level = 2
debugger_command =
PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
xxgdb $daemon_directory/$process_name $process_id & sleep 5
sendmail_path = /usr/sbin/sendmail.postfix
newaliases_path = /usr/bin/newaliases.postfix
mailq_path = /usr/bin/mailq.postfix
setgid_group = postdrop
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_local_domain = $myhostname
broken_sasl_auth_clients = yes
bounce_queue_lifetime = 4h
maximal_queue_lifetime = 1d

sender_bcc_maps = hash:/etc/postfix/sender_copy

recipient_bcc_maps = hash:/etc/postfix/recipient_copy

smtpd_client_restrictions = reject_rbl_client bl.spamcop.net, permit

#smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl.spamhaus.org, reject_rhsbl_sender nomail.rhsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_rbl_client multihop.dsbl.org, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender rddb.dnsbl.net.au, reject_rhsbl_sender endn.dnsbl.net.au, reject_unauth_destination

#smtpd_recipient_restrictions = check_recipient_access hash:/etc/postfix/protected_destinations, permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client sbl.spamhaus.org, reject_rhsbl_sender nomail.rhsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_rbl_client multihop.dsbl.org, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender rddb.dnsbl.net.au, reject_rhsbl_sender endn.dnsbl.net.au, reject_unauth_destination


#To remove multihop.dsbl.org
#smtpd_recipient_restrictions = permit_mynetworks, reject_unauth_destination, reject_unknown_sender_domain, reject_unauth_pipelining, reject_non_fqdn_sender, check_recipient_access hash:/etc/postfix/protected_destinations, check_sender_access hash:/etc/postfix/sender_access, reject_rbl_client pbl.spamhaus.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client xbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org, reject_rbl_client list.dsbl.org, reject_rbl_client rmst.dnsbl.net.au, reject_rbl_client xbl.spamhaus.org, reject_rbl_client pbl.spamhaus.org, reject_rhsbl_sender nomail.rhsbl.sorbs.net, reject_rbl_client ucepn.dnsbl.net.au, reject_rbl_client blackholes.easynet.nl, reject_rhsbl_sender blackhole.securitysage.com, reject_rbl_client sorbs.dnsbl.net.au, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_rbl_client zen.spamhaus.org, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rbl_client psbl.surriel.com, reject_rbl_client t1.dnsbl.net.au, reject_rbl_client rddb.dnsbl.net.au, reject_rhsbl_client ucepn.dnsbl.net.au, reject_rbl_client endn.dnsbl.net.au, reject_unauth_destination


smtpd_recipient_restrictions = permit_mynetworks, reject_rbl_client xbl.spamhaus.org, check_sender_access hash:/etc/postfix/sender_access, check_recipient_access hash:/etc/postfix/protected_destinations, reject_rbl_client list.dsbl.org, reject_rbl_client sbl-xbl.spamhaus.org, reject_rbl_client cbl.abuseat.org, reject_rbl_client xbl.spamhaus.org, reject_rbl_client sbl.spamhaus.org, reject_rhsbl_sender nomail.rhsbl.sorbs.net, reject_rbl_client blackholes.easynet.nl, reject_rbl_client proxies.blackholes.wirehub.net, reject_rbl_client bl.spamcop.net, reject_rbl_client dnsbl.njabl.org, reject_rhsbl_client blackhole.securitysage.com, reject_rhsbl_sender blackhole.securitysage.com, reject_rhsbl_sender dsn.rfc-ignorant.org, reject_rhsbl_sender rddb.dnsbl.net.au, reject_rhsbl_sender endn.dnsbl.net.au, reject_unauth_destination



#smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, hash:/etc/postfix/access
smtpd_sender_restrictions = permit_mynetworks, check_sender_access hash:/etc/postfix/sender_access, hash:/etc/postfix/access

mailbox_size_limit = 2147483648

smtpd_restriction_classes = alias_allow
alias_allow = check_sender_access hash:/etc/postfix/connexios_allow, check_sender_access hash:/etc/postfix/access, reject
masquerade_domains = domain.com